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Abstract of JP2000200248 

PROBLEM TO BE SOLVED: To flexibly improve a device 
which is freely connected by accepting an FOGS plug from a 
mobile user for a connection with a computer system and 
using information featuring the mobile user for its operation. 
SOLUTION: A USB interface chip 40 receives USB packets 
from a USB host 20 and analyzes and sends the data out to 
a microprocessor 30. The microprocessor 30 writes the data 
to a firmware memory 50, a RAM 60, or user's data memory 
70 by using the protocol of respective memories or reads 
data out of it. In this case, the FCCS plug is used in relation 
to software having plug confirming capability as known 
before. The computer system received information featuring 
one mobile user in a group of mobile users and is frequently 
used to process the information, and the information 
featuring the mobile user is stored in the FCCS plug. 
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VIETHOD AND DEVICE FOR INTERACTION BETWEEN USER AND COMPUTER 



Description of correspondent: EP1001329 



FIELD OF THE INVENTION 

[0001] The present invention relates to flexibly connectible computer apparatus and methods for using flexibly 
connectible hosts. 

BACKGROUND OF THE INVENTION 



[0002] The USB interface is described in specifications available over the Internet atwww.usb.org. 

[0003] Firewire technology, also termed "IEEE 1394 technology", is an alternative to USB which also provides 
flexible connectivity and is described in the IEEE 1394 standard. 

[0004] USBHasp is an Aladdin software protection product, announced in October 1997, which includes a USB key. 
USBHasp does not control access of a user to a computer network but rather impedes interaction between software 
and a computer system by activating a copy of the software only if a USB key corresponding to that copy is plugged 
into the computer system. 

[0005] Conventionally, the only devices which have interacted via USB have been computers, keyboard, monitor, 
printer, mouse, smart card readers, and biometric readers. 

[0006] Conventional devices for providing computerized servicing to a mobile or stationary population of users 
typically include a smart card reader. The members of the mobile population bear smart cards which are used to 
interact with the computerized servicing device via the smart card reader. 

[0007] A particular disadvantage of smart cards is that they require a smart card reader which is a relatively costly 
device. Computer hosts which are equipped with a smart card reader are a small subset of the universe of computer 
hosts because addition of a smart card reader makes the computer considerably more expensive. 

[0008] German Patent document DE 19631050 describes an interface convener for a universal serial bus having a 
module with a processor that changes format and protocol into that of a different bus system, 

[0009] Rainbow Technologies, Inc., in a news release dated 17 November 1998, announce USB software protection 
keys which can also be used as authentication or access control devices. A unique ID number if assigned to each 
USB key, enabling the key to replace or supplement personal passwords.The unique ID of the USB key makes it 
useful as a notebook computer security device providing theft deterrence. Other uses for the USB keys include Web 
access control, client token for Virtual Private Network access, replacement for password generator tokens and 
storage of credentials, certificates and licenses. 

[0010] In a news release dated 19 January 1999, Rainbow Technologies, Inc. announce a new line of USB tokens 
for VPNs (virtual private networks) which provides end user client authentication to VPNs and enables operator 
access to secured network equipment. Features of these tokens include "Internet security small enough to fit on a 
key-ring" and "personalization for the end user". The tokens allow a user to keep personal information in his or her 
pocket rather than on a hard drive. 

(001 1] A new "unique per individual" model of its USB based tokens was announced by Rainbow Technologies Inc. 
on 15 March 1999. 
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[0012] The disclosures of all publications mentioned in the specification and of the publications cited therein are 
hereby incorporated by reference. 

SUMMARY OF THE INVENTION 

[0013] The present invention seeks to provide improved flexibly connectible apparatus and improved methods for 
using the same. 

[0014] There is thus provided, in accordance with a preferred embodiment of the present invention, a user-computer 
interaction method for use by a population of flexibly connectible computer systems and a population of mobile 
users, the method including storing information characterizing each mobile user on an FOGS plug to be borne by 
that mobile user and accepting the FCCS plug from the mobile user for connection to one of the flexibly connectible 
computer systems and employing the information characterizing the mobile user to perform at least one computer 
operation. 

[0015] Further in accordance with a preferred embodiment of the present invention, at least one computer operation 
comprises authentication. 

[0016] Also provided, in accordance with another preferred embodiment of the present invention, is a an FCCS plug 
device to be borne by a mobile user, the FCCS plug device including a portable device which mates with a flexibly 
connectible computer system and comprises a memory and information characterizing the mobile user and stored in 
the memory accessibly to the flexibly connectible computer system. 

[0017] Also provided, in accordance with another preferred embodiment of the present invention, is a population of 
FCCS plug devices to be borne by a corresponding population of mobile users, the population of FCCS plug devices 
including a multiplicity of portable devices each of which mates with a flexibly connectible computer system and 
comprises a memory and information characterizing each mobile user in the population of mobile users and stored, 
accessibly to the flexibly connectible computer system, in the memory of the FCCS plug device to be borne by the 
mobile user. 

[0018] Additionally provided, in accordance with another preferred embodiment of the present invention, is an FCCS 
plug device including a mating element operative to mate with a flexibly connectible computer system and a memory 
connected adjacent the mating element, thereby to form a portable pocket-size plug, wherein the memory is 
accessible to the flexibly connectible computer system via the mating element. 

[0019] Also provided, in accordance with another preferred embodiment of the present invention, is an FCCS plug 
device including a mating element operative to mate with a flexibly connectible computer system and a CPU 
connected adjacent the mating element thereby to form a portable pocket-size plug, wherein the CPU has a data 
connection to the flexibly connectible computer system via the mating element. 

[0020] Further in accordance with a preferred embodiment of the present invention, the FCCS plug device also 
comprises a CPU connected adjacent the mating element, thereby to form a portable pocket-size plug, wherein the 
CPU has a data connection to the flexibly connectible computer system via the mating element. 

[0021] Still further in accordance with a preferred embodiment of the present invention, at least one computer 
operation comprises digital signature verification and/or controlling access to computer networks. 

[0022] Further in accordance with a preferred embodiment of the present invention, the information characterizing 
each mobile user comprises sensitive information not stored in the computer system, thereby to enhance 
confidentiality. 

[0023] Also provided, in accordance with another preferred embodiment of the present invention, is a user-computer 
interaction method for use by a population of flexibly connectible computer systems and a population of mobile 
users, the method including 
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storing confidential information not stored by the flexibly connectible computer systems on an FCCS plug to be 
borne by an individual user within the population of mobile users and 

accepting the FCCS plug from the mobile user for connection to one of the flexibly connectible computer systems 
and employing the confidential information to perform at least one computer operation, thereby to enhance 
confidentiality. 



[0024] Preferably the apparatus also includes a microprocessor operative to receive the USB communications from 
the USB interface, to perform computations thereupon and to provide results of the computations to the data storage 
unit for storage and/or for encryption and/or for authentication and/or for access control. 

[0025] The term "USB port" refers to a port for connecting peripherals to a computer which is built according to a 
USB standard as described in USB specifications available over the Internet atwww.usb.org. 

[0026] The term "USB plug" or "USB key" or "USB token" refers to a hardware device whose circuitry interfaces with 
a USB port to perform various functions. 

[0027] The term "smart card" refers to a typically plastic card in which is embedded a chip which interacts with a 
reader, thereby allowing a mobile bearer of the smart card to interact with a machine in which is installed a smart 
card reader, typically with any of a network of machines of this type. 

[0028] Also provided in accordance with a preferred embodiment of the present invention is an electronic token, 
which preferably mates with a flexible connection providing port such as the USB port of any computer system such 
as a PC, laptop, palmtop or peripheral. The electronic token preferably does not require any additional reading 
equipment. The token may authenticate information and/or store passwords or electronic certificates in a token 
which may be the size of a domestic house key. 

[0029] Preferably, when the token is inserted into a flexible connection providing port, a highly secure "dual factor 
authentication" process (e.g. "what you have" plus "what you know") takes place in which (a) the electronic token is 
"read" by the host PCC or network and (b) the user types in his or her personal password for authorization. 

[0030] Suitable applications for the electronic token include authentication for VPN, extranet and e-commerce. 

[0031] The present invention also seeks to provide improved USB apparatus and improved methods for using the 
same. 

[0032] There is thus provided, in accordance with another preferred embodiment of the present invention, USB key 
apparatus for interacting with a USB host via a USB port, the USB key apparatus including a portable device 
configured to fit the USB port, the portable device including a USB interface conveying USB communications to and 
from a USB host, a protocol translator operative to translate the USB communications from USB protocol, into smart 
card protocol such as an IS07816 protocol, and from smart card protocol into USB protocol and a smart card chip 
operative to perform at least one smart card function such as authentication, encryption, access control and secure 
memory. 

[0033] Also provided, in accordance with another preferred embodiment of the present invention, is USB key 
apparatus with data storage capabilities, the USB key apparatus including a portable device such as a PCB, 
configured to fit the USB port, the portable device including a USB interface conveying USB communications to and 
ft-om a USB host and a data storage unit storing information derived from the USB communications. 



BRIEF DESCRIPTION OF THE DRAWINGS 



[0034] The present invention will be understood and appreciated from the following detailed description, taken in 
conjunction with the drawings in which: 
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Fig. 1 is a simplified block diagram of a USB plug device including a CPU and a non-IS07816 memory, the USB 
device being constructed and operative in accordance with a preferred embodiment of the present invention; 
Fig. 2 is a simplified block diagram of a USB plug device including a CPU and a IS07816 memory, the USB device 
being constructed and operative in accordance with a preferred embodiment of the present invention; 
Fig. 3 is an exploded front view of an FCCS plug constructed and operative in accordance with a preferred 
embodiment of the present invention and implementing the USB plug device of Fig. 1 ; 

Fig. 4 is an exploded view of an FCCS plug constructed and operative in accordance with a preferred embodiment of 
the present invention and implementing the USB plug device of Fig. 2; and 

Figs. 5A - 5B pictorially illustrate a user-computer interaction method provided in accordance with a preferred 
embodiment of the present invention for use by a population of flexibly connectible computer systems and a 
population of mobile users. 



DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 



[0035] Reference is now made to Fig. 1 which is a simplified block diagram of a flexibly connectible USB plug device 
including a CPU and a non-IS07816 memory, the USB device being constructed and operative in accordance with a 
preferred embodiment of the present invention. 

[0036] A particular feature of the USB plug device of Fig. 1 is that it has data storage capabilities and is thus 
analogous to a memory smart card. 

[0037] The USB plug device 10 comprises a PCB 25 which includes a microprocessor or CPU 30 such as a 
Motorola 6805, Cypress chip or Intel 8051 ; a USB interface device 40; firmware memory 50 serving the firmware of 
the microprocessor 30; RAM memory 60 of size sufficient to enable contemplated computations on the part of the 
microprocessor 30; and user data memory 70 which stores a user's data. Some or all of the USB interface device 
40, firmware memory 50 and RAM memory 60 may be within the CPU 30. 

[0038] The USB interface device 40 and/or the firmware memory 50 may be integrated inside the microprocessor 30, 



[0039] The firmware memory may be any suitable type of memory such as but not limited to ROM, EPROM, 
EEPROM or FLASH. 

[0040] The user data memory 70 typically does not include IS07816-3 memory and may, for example, comprise any 
of the following types of memory: l<2>C. XI<2>C, 2/3 wire bus, FLASH. 

[0041] As shown, the USB plug device 10 is configured to interact with any USB host 20 such as but not limited to a 
personal computer or Macintosh having a USB port. Key-host interaction is governed by a USB protocol such as the 
USB protocol described in the USB specifications available over the Internet at www.usb.org. USB packets pass 
between the USB host 20 and the USB interface chip 40. Each packet typically includes the following components: 

a. USB header; 

b. Data to be stored/read on the user's data memory 70, plus additional information required by protocols of the 
memory chip 70, such as but not limited to the address to store/read the data, the length of data to store/read, and 
CRC checksum information. 

c. USB footer. 



[0042] The flow of data typically comprises the following flow: 

[0043] The USB interface chip 40 receives USB packets from the USB host 20, parses the data, and feeds the 
parsed data to the microprocessor 30. The microprocessor 30 writes the data to, or reads the data from, the 
firmware memory 50, the RAM 60 or the user's data memory 70, using each memory's protocol. 



http://v3.espacenet.com/textdes?PRT=yes&sf=a&FIRST=l&CY=ep&LG=en&DB=EPODOC&TI=&A 12/12/2003 



;sp@cenet cfescription view 



Page 5 of 13 



[0044] In read operation, the microprocessor 30 passes the data to the USB interface chip 40 which wraps the data 
in USB packet format and passes it to the host 20. 

[0045] Fig. 2 is a simplified block diagram of a USB plug device, constructed and operative in accordance with a 
preferred embodiment of the present invention, which is a one-piece smart card reader and smart card chip 
preferably providing both secured storage and cryptographic capabilities. The USB plug device of Fig. 2 includes 
both a CPU and a smart card chip (ICC) memory 170, typically a IS07816 (T = 0/1) protocol-based chip 
communicating with the CPU 130 using an IS07816-3 protocol. The apparatus of Fig. 2 is similar to the apparatus of 
Fig, 1 except that no separate user's data memory 70 is provided. The size of the RAM 160 is typically at least 262 
bytes in order to support the ISO 781 6_3 T=0 or T=1 protocols. 

[0046] Each packet typically includes the following components: 

a. USB header; 

b. IS07816-3 T=0/1 protocol packet; 

c. USB footer. 



[0047] The flow of data in the apparatus of Fig. 2 typically comprises the following flow: 

[0048] The USB interface chip 140 gets USB packets from the USB host 120. The USB interface chip 140 parses 
the data and passes it to the microprocessor 130. The data, which typically comprises a IS07816-3 T=0/1 formatted 
packet, is passed by the microprocessor to the smart-card 170 in a IS07816-3 protocol. The microprocessor 130 
gets the response from the smart card 160 and passes the data to the USB interface chip 140. The USB interface 
chip 140 wraps the data in USB packet format and passes it to the host 120. 

[0049] A particular advantage of the embodiment of Fig. 2 is that smart card functionality is provided but there is no 
need for a dedicated reader because the plug 1 10 is connected directly to a USB socket in the host 120. 

[0050] The invention shown and described herein is particularly useful for computerized systems sen/ing 
organizations which process sensitive information such as banks, insurance companies, accountants and other 
commercial organizations, and professional organizations such as medical or legal organizations. 

[0051] Conventional computer systems include a computer (comprising a motherboard) and at least one peripherals. 
The computer has a number of different ports which respectively mate with the ports of the various peripherals. Each 
port typically can mate with only certain peripherals and not with other peripherals. For example, the keyboard 
cannot be connected to the computer via the computer's printer port. 

[0052] In state of the art computer systems, also termed herein "flexibly connectible computer systems", the 
computer and the peripherals each include at least one identical ports having mating ports on any other computer 
and any other peripheral such that any peripheral can be selectably connected to any computer or to any other 
peripheral. Also, a peripheral may be connected to the computer not directly as in conventional systems but rather 
via another peripheral. There is generally always a port available on one or more connected peripherals in an 
existing computer system such that another peripheral can generally always be connected to an existing computer 
system. 

[0053] One example of a flexibly connectable computer system is a USB (universal standard bus) system in which 
the computer and each peripheral includes a USB port. Another example of a flexibly connectable computer system 
is the recently contemplated Firewire system. 

[0054] A "USB plug" is a portable device which mates with a USB system and, as opposed to peripherals which 
contain mechanical elements, typically comprises only memory and/or CPU and therefore is typically pocket-size. 
More generally, a USB plug is an example of a plug which can be plugged into a flexibly connectible computer 
system (FCCS). 

[0055] The term "FCCS plug" is used herein to refer to a portable device which mates with a flexibly connectible 
computer system and, as opposed to peripherals which contain mechanical elements, typically comprises only 
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memory and/or CPU and therefore is typically pocket-size. It is appreciated that because each peripheral connected 
onto a flexibly connectible computer system typically has at least one port, therefore, a flexibly connective computer 
system of any configuration typically has at least one vacant port available to interact with an FCCS plug. USB 
tokens and Rainbow tokens are both examples of FCCS plugs. 

[0056] Typically, each of the plurality of computer system units (computer and one or more peripherals) forming a 
computer system has at least two identical female sockets and these are interconnected by means of male-male 
cables. In this embodiment, the FCCS plug may comprise a male socket. However, it is appreciated that any suitable 
mating scheme may be employed to mate the computer system units and the the FCCS plug of the present 
invention. 

[0057] A known use for FCCS plugs is use in conjunction with software having plug-recognizing capability. Aladdin 
and Rainbow both market software which Is operative only if the host computer system in which a particular software 
copy resides has plugged into it an FCCS plug which is recognized by the software copy. The Aladdin and Rainbow 
plugs are not used for authentication. 

[0058] Computer systems are often used to receive information characterizing a mobile user, who is one of a 
population of mobile users, and to process this information. Such information may comprise user identity 
authentication Information, banking information, access rights information, etc. Conventionally, this information is 
stored on a smart card which is borne by the user and is presented to the computer system by him. However this 
requires the computer system to be equipped with a smart card reader, a special piece of equipment dedicated to 
reading the smart card. 

[0059] According to a preferred embodiment of the present invention, information characterizing a mobile user is 
stored on an FCCS plug. Particular advantages of this embodiment of the present invention is that the information is 
easily borne by the user, on a pocketsize substrate, that any flexibly connectible computer system of any 
configuration is typically capable of interacting with the user via the FCCS plug, and that no dedicated equipment is 
required by the computer In order to carry out the interaction: 

[0060] Reference is now made to Fig. 3 which is an exploded front view of an FCCS plug constructed and operative 
in accordance with a preferred embodiment of the present invention and implementing the USB key device of Fig. 1 . 
As shown, the FCCS plug of Fig. 3 comprises a housing typically formed of two snap-together planar cover elements 
200 and 210, between which reside a USB connector 220 and the PCB 25 of Fig. 1. The USB connector 220 may, 
for example comprise a USB PLUG SMT &lang&ACN-0213&rang& device marketed by Aska Technologies Inc., No. 
15, Alley 22, Lane 266, Fu Teh, 1st Rd., HsI Chih, Taipei Shien, Taiwan. The PCB 25 bears the elements 30, 40, 50, 
60 and 70 of Fig. 1 . Firmware managing the memory 240 may reside on the USB interface controller 230. 

[0061] Reference is additionally made to Fig. 4 which is an exploded view of an FCCS plug constructed and 
operative in accordance with a preferred embodiment of the present invention and implementing the USB key device 
of Fig. 2, As shown, the FCCS plug of Fig. 4 comprises a housing typically formed of two snap-together planar cover 
elements 200 and 210, between which reside the USB connector 220 and a PCB 125. The PCB 125 bears the 
elements 130, -140, 150, 160 and 170 of Fig. 2. Firmware managing the smart card chip 250 may reside on the USB 
interface controller 230. 

[0062] Smart card functionalities which are preferably provided by the FCCS plug of the present invention include: 

1 . Controlling access to computer networks: Smart card or plug has ID information, network authenticates and allows 
access on that basis. Authentication may be based upon **what you have", "what you are" e.g. biometric information 
and "what you know" (e.g. password). 

2. Digital signatures or certificates for verifying or authenticating the identity of the sender of a document. 

3. Storage of confidential information e.g. medical information. A smart card or plug may store confidential 
information and interact with a network which does not store the confidential information. 



[0063] Figs. 5A - 5B pictorially illustrate a user-computer interaction method provided in accordance with a preferred 
embodiment of the present invention for use by a population of flexibly connectible computer systems 300 and a 
population of mobile users. Information characterizing each mobile user, e.g. name and ID, is loaded Into the 
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memory of an FCCS plug 31 0 to be bome by that mobile user, typically via a USB interface controller such as unit 
230 of Fig. 3, 

[0064] The plug can then be connected to one of the flexibly connectible computer systems and the information 
characterizing the mobile user employed to perform at least one computer operation typically comprising a 
conventional smart card functionality such as authentication. 

[0065] Features of a preferred embodiment of the present invention are now described: 
a. The need for enhanced user authentication 



Authentication is the basis for any information security system. The ability to authenticate local and remote users is a 
critical issue for any LAN/Intranet, multi-user environment 



b. The need for encryption and confidentiality 



Content encryption & confidentiality becomes an important issue for both the corporation and the individual users 



c. The need for password and Sign-On security 



Password security and user password management are key issues for network corporate users. Passwords 
represent the single most important security concern in any computing environment 



[0069] There is a need today for hardware-based PC security tokens 

Sign-On-Key (SOK) is a hardware-based token that seamlessly integrates with Operating Systems & Applications to 
provide: 

- a user authentication key 

- a basis for encryption system 

- better Sign-On security and enhanced user password management 

- Software Security 



Authentication - 3 Basic Elements 



Something you know -> Password 
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Something you have -> Sign-On-Key 
Something you are -> e.g., Bio-metrics 

Assumption: Two out of the above three provide "good-enough" security. 



Encryption 



The need to encrypt data, files, disks and information flow is evident. 

An hardware-based token with cryptographic abilities can enhance security and ease-of use. 



Sign-On - Where are Passwords used? 



Log on to your O/S 

Log on to your Network (Local, Remote) 

Log on to the Internet/ISP 

Log on to protected Web pages 

Log on to Group Ware/Communications applications 

Log on to other sensitive password-protected applications 

MS Office & other protected files 

PC Boot protection (Bios Password) 



Sign-On - Major Security Risks 



The Sign-On Process 

[0073] The Sign-On-Key is a security hardware token, linked by the user to the required applications. Once installed 
the -Sign-On-Key becomes a part of the log-on process. Sign-On-Key provides the user with many security and 
other functional benefits. 

What Can Sign-On-Key Do For a User? 



Sign-On Security 

- Enhance security & authentication. The Sign-On-Key is required in addition to the user password 
Sign-On Simplicity 

- Simplify log-on process and eliminate the need for a password. The Sign-On-Key replaces the password 
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Password Automatic Re-verification 

- Check for Sign-On-Key periodically 
Single-Sign-On 

- One Sign-On-Key replaces several passwords for several applications 
Mobility & Remote Computing 

- Sign-On-Key identifies remote users 

- Sign-On-Key can be used as a data secure container 

- Theft deterrent of mobile PCs 

General Purpose Security Token 

- File & data Encryption 

- Authentication 

- Certificate Key Holder 



Sign-On-Key Various Options 



Several hardware devices may operate as Sign-On-Keys: 

- Sign-On-Key USB - A small key that connects to the new standard USB port. USB ports are becoming the new 
connectivity standard for PCs and Macintosh 

- Sign-On-Key SC - A smart card based Sign-On-Key. Can be used with any standard smart card drive 



Sign-On-Key USPs & Advantages 



Simple, intuitive, easy to use, attractive token 
The key IS the token IS the connector 
Low cost 
High security 
High functionality 

- Memory inside token 

- Processing power 

-Automatic Password Re-verification 

- Multi token connectivity 

The Agents* solution 
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Sign-On-Key Architecture 



Full Blown System. 



Sign On Agents 



The Sign-On-Agent is a software interface between the Sign-On-Key and the application. 
The Sign-On-Boot is a special interface for the PC boot password. 
Agents may be provided for: 

- OS/Net Ware - e.g., Windows NT, 95/98, 3x, Novell, Unix 

- Group Ware/Mail - e.g, Lotus Notes, Outlook, Eudora, 

- Enterprise Applications - e.g., SAP, Baan, MK, Oracle, Magic 

- Web Browsers - e.g., Explorer, Navigator 



The Most Trivial Agent - Windows NT 



The most trivial Agent will replace the Windows Login session 
By doing so Users may gain 

- Windows Login Extra security 

-Windows Login simplification (Sign-On-Key replaces password) 



Sign-On-Key Web Browsers' Agent/System 



Sign-On-Key can be used as an authentication token to monitor access to secured web pages 
Web content providers need to authenticate, manage and provide access to their customers 



Sign-On-Key API (SDK) 



Sign-On-Key API is the interface level between the Sign-On-Key and 3rd parties* applications. 

This API may be published and opened for usage by certification providers, security companies and SSO 

companies. 
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The Sign-On-Key API will also provide encryption & protected memory storage services 
Sign-On-Key API may be PKCS #11 based/compatible 



The Sign-On Process (No CA) 



Installation 

- User installs Agents for required applications 

- User defines Sign-On Parameters for each application 

- User stores Sign-On information in Sign-On-Key 

Sign-On 

- Application is started 

- Application reaches its Sign-On dialog 

- Application communicates with the Sign-On-Key 

- Sign-On permission is granted based on Sign-On-Key 



Sign-On-Key As a Secure Container 



In addition to unique Key ID, Sign-On-Key will contain personal protected memory area 
This memory area can be used for storing sensitive information and Certificates 
Applications' ID keys like Lotus Notes ID file or PGP keys can be stored in this memory 

Doing so - Sign-On-Key can be used to increase mobile computing security. Files IDs are stored in Sign-On-Key 
instead of disk 



Sign-On-Key An Encryption Engine & Sign-On-Key Crypt 



Sign-On-Key can be used as an encrypting device 

An encryption API may be provided, e.g., a 100% smart card compatible Sign-On-Key implementation 
Sign-On-Key Crypt is a Data/File/Hard disk encryption utility based on Sign-On-Key. 



Sign-On-Key Certification Toolkit 



SOK may use PKCS #1 1 and X509 and store certificates and/or digital IDs. 
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Sign-On-Key comprises: 



Sign-On-Key USB Token 

HASP 

Hardlock 

Initial Sign-On-Key functionality(Unique ID, personal protected memory) 

Sign-On-Key USB extension cable 

Sign-On-Key Smart Card Token 

Sign-On-Key API (PKCS #1 1 compliant) 

Entrust compatibility/link 

Windows NT Agent 

Navigator and/or Explorer Agent (S/Mime) 
Key Plus Crypt (Beta release) 
Secure Screen Saver 
Initial marketing package 

USB proliferation & Windows 98/NT availability are key issues 

In the US, Germany & Israel all new PCs shipped are USB equipped. 

Section in Early Development stage. 

Security Dynamics, ActivCard & Vasco control the market with 1st generation time-based, one-time password or 
challenge-based tokens 

security vendors will look to expand their market share with second generation integrated smart card offerings which 
will support cryptography, digital signature storage and processing activity 



USB: The Better Connection 



Almost unlimited port expansion 
No add-in cards for new peripherals 

- no setting of IRQs, DMAs, etc. 
One connection type (plug and port) 

- variety of peripherals 

- no more guesswork 

- simple setup, just plug in and go 



USB: The Better Connection 



Addresses need for speed, multimedia 

- 12 Mb/s, Asynch (bulk) & Isoch (real time) data 
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- stereo-quality digital audio 

- high frame-rate video (with compression) 

- high latency applications (force-feedback) 

No power bricks with many new peripherals 

- USB supplies up to 500mA 

PC User experience is vastly improved 

- Fewer returns and increased sales potential 



[0088] It is appreciated that USB is only one example of a flexible connectivity standard and the present invention is 
not intended to be limited to USB. 

[0089] It is appreciated that the software components of the present invention may, if desired, be implemented in 
ROM (read-only memory) form. The software components may, generally, be implemented in hardware, if desired, 
using conventional techniques. 

[0090] It is appreciated that various features of the invention which are, for clarity, described in the contexts of 
separate embodiments may also be provided in combination in a single embodiment. Conversely, various features of 
the invention which are, for brevity, described in the context of a single embodiment may also be provided separately 
or in any suitable subcombination. 

[0091] It will be appreciated by persons skilled in the art that the present invention is not limited to what has been 
particularly shown and described hereinabove. Rather, the scope of the present invention is defined only by the 
claims that follow: 

[0092] Where technical features mentioned in any claim are followed by reference signs, those reference signs have 
been included just for the sole purpose of increasing intelligibility of the claims and accordingly, such reference signs 
do not have any limiting effect on the scope of each element identified by way of example by such reference signs. 
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METHOD AND DEVICE FOR INTERACTION BETWEEN USER AND COMPUTER 



Claims of correspondent: EP1001329 



1 . A user-computer interaction method for use by a population of flexibly connectible computer systems and a 
population of mobile users, the method comprising: 

storing information characterizing each mobile user on an FCCS plug to be borne by that mobile user; and 
accepting the FCCS plug from the mobile user for connection to one of the flexibly connectible computer systems 
and employing the information characterizing the mobile user to perform at least one computer operation. 



2. A method according to claim 1 wherein said at least one computer operation comprises authentication. 

3. An FCCS plug device to be borne by a mobile user, the FCCS plug device comprising: 

a portable device which mates with a flexibly connectible computer system and comprises a memory; and 
information characterizing the mobile user and stored in said memory accessibly to the flexibly connectible computer 
system. 



4. A population of FCCS plug devices to be borne by a corresponding population of mobile users, the population of 
FCCS plug devices comprising: 

a multiplicity of portable devices each of which mates with a flexibly connectible computer system and comprises a 
memory; and 

information characterizing each mobile user in the population of mobile users and stored, accessibly to the flexibly 
connectible computer system, in the memory of the FCCS plug device to be borne by said mobile user. 



5. An FCCS plug device comprising: 

a mating element operative to mate with a flexibly connectible computer system; and 

a memory connected adjacent said mating element, thereby to form a portable pocket-size plug, wherein the 

memory is accessible to the flexibly connectible computer system via said mating element. 



6. An FCCS plug device comprising: 

a mating element operative to mate with a flexibly connectible computer system; and 

a CPU connected adjacent said mating element, thereby to form a portable pocket-size plug, wherein the CPU has a 
data connection to the flexibly connectible computer system via said mating element. 



7. An FCCS plug device according to claim 5 and also comprising a CPU connected adjacent said mating element, 
thereby to form a portable pocket-size plug, wherein the CPU has a data connection to the flexibly connectible 
computer system via said mating element. 

8. A method according to claim 1 wherein said at least one computer operation comprises digital signature 
verification. 

9. A method according to claim 2 wherein said at least one computer operation comprises controlling access to 
computer networks. 
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10. A method according to claim 1 wherein said information characterizing each mobile user comprises sensitive 
information not stored in said computer system, thereby to enhance confidentiality. 

11. A user-computer interaction method for use by a population of flexibly connectible computer systems and a 
population of mobile users, the method comprising: 

storing confidential information not stored by the flexibly connectible computer systems on an FCCS plug to be 
borne by an individual user within said population of mobile users; and 

accepting the FCCS plug from the mobile user for connection to one of the flexibly connectible computer systems 
and employing the confidential information to perform at least one computer operation, thereby to enhance 
confidentiality. 



12. USB key apparatus for interacting with a USB host via a USB port, the USB key apparatus comprising: 
a portable device configured to fit the USB port, the portable device comprising: 
a USB interface conveying USB communications to and from a USB host; 

a protocol translator operative to translate the USB communications from USB protocol into smart card protocol and 

from smart card protocol into USB protocol; and 

a smart card chip operative to perform at least one smart card function. 



13. USB key apparatus according to claim 12 wherein the smart card protocol comprises an IS07816 protocol. 

14. USB key apparatus with data storage capabilities, the USB key apparatus comprising: 

a portable device configured to fit a USB port, the portable device comprising: 

a USB interface conveying USB communications to and from a USB host; and 
a data storage unit storing information derived from the USB communications. 



15. Apparatus according to claim 12 wherein the smart card function comprises at least one function selected from 
the group consisting of secured memory, authentication, encryption and access control. 

16. Apparatus according to claim 14 and also comprising a microprocessor operative to receive said USB 
communications from the USB interface, to perform computations thereupon and to provide results of the 
computations to the data storage unit for storage. 

17. A method for interacting with a USB host via a USB port, the method comprising: 

configuring a portable device to fit the USB port; 
conveying USB communications to and from a USB host; 

translating the USB communications from USB protocol into smart card protocol and from smart card protocol into 
USB protocol; and 

providing a smart card chip operative to perform at least one smart card function. 

18. A method according to claim 17 wherein the smart card protocol comprises an IS07816 protocol. 

19. A data storage method comprising: 
configuring a portable device to fit a USB port; 
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conveying USB communications to and from a USB host; and 
storing information derived from the USB communications. 



20. A method according to claim 1 7 wherein the smart card function comprises at least one function selected from 
the group consisting of secured memory, authentication, encryption and access control. 

21 . A method according to claim 1 9 and also comprising employing a microprocessor to receive said USB 
communications from the USB interface, to perform computations thereupon and to provide results of the 
computations to the data storage unit for storage. 
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0, 7r-A'>xr • ><^'J 50, tjctl/RAM;^^ 'J 

6 0i0Mo*-*jt<4^t:ii, cpu3 0rtt::BestTt 

[0033] XiSB^ >9y s.-X^m.AOiii,lf/t 

^3 0Hzm.-^l.X{,i.^\ 7r-i^'>X7 • 

<4, ROM, EPROM, EEPROM, ^JtfiFLA 

[0034] a.—f-T-9 •^^'J70«4, alSf I S 
07816-3^^: ^JUmt-f. 'AcO^COjC 
: I^C, X I^C, 2/3'7-f T''<X, FLASH 

[00 35] EIS^(0J:^(C, US Bry^/ggl 0{±, 
USB/-K-hSr^rr§A'-y:^/U • ayfa-:J'^:^.:{± 
Mac i n t o s h^t'O, L*» L-?-iX^>tCfi8^(4?ii 
^ir^ffiSOU S BTt^x h i:3hfS§1-& J: o(:*SB£?ni.. 
^-tJt^XhPalOitiSti, www. usb. org. X 
yf hi}^(:>%(:>tllUSBitmiZ7f:^iXfz\}S 
BrnhayKOi?^, VSBTa [-aMzX'O^W.^ 
ti^. USBA^yhti, USB*><.h20i:USB-^ 
y^y x~X ■ ^ yTAOcO^^^m^th, ^■'■^-y-zY- 
(4, )i?^<K<Og^$:fliii.S. 
a. {JSB^-/i^: 

h . JL— rc7)r- • ;>< ^ ij 7 0 (CM LTia-ti/ 

■ ^ y 7- 7 0 <7)ro h 3 Mz J: 0 ill) ^tfl^Hff^fi ; 
c. USB7y^'. 

[0036] T-9<7)mi\i. jiS?»:<OffiiX$r^t^, U 
SB-f y^'7x-.X • f--yr4 0{4, USB;^Xh20 
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T-^'SrV-Y^'Dro-b y-tBOtCjiiaj-fl.. v-f ^'D 

r-A-^xr -^^'JSO. RAM60. ^ytiJio.— T 
iOT-:^' •^^'JTOlCr-rJ'iSrSgji;^^. ^3t{l-?-ft 

[00 371 S^^^dKOil^B^tcJi, •^'f ^'ora-t ••/■»;- 

[ 0 0 3 8 1 02(i. ^m}icr,im^j:mmm^zv^'>xm 

^^'■gBli. CPUfc. • 7;?-h- • f--yr ( i 

CO ^t'J 1 70$:fttC(ix., ji^I S078 1 6- 
3Toh3/U^ffl(,^TCPU 1 BOtiifg-ri. I SO? 
816 (T=0/1) Tnh3/U-'<.-Xc7)f-.yrT-S> 

m2(r>mmi, M(oa.—f . t---^- . .j ? o 

T^r^l.. RAM 1 60«0±^${j:, 51^1 S078 1 6 

-3 T=o^/::^T=i rohn/i^^ftfi-rsfc*^ 

t:, jiSii'-^< h t 2 6 2>'nM hX'ifcl. , 
[0 0 39] =&>'N-^r.yh{i, iim:lT<7)^5!JS:fii;e.&. 

a. USB^y:/: 

b. IS07816-3 T = 0/17'nha/lx 
• x h : 

c. VSB7-/^. 

[0040] @2tfO^SlCfc(tST-:5'<08Jil(±, ijCO 
iSii^^tf. usB-f y^-^i-:^ • ^•yn4 0{i, 
USB*XM 2 0A^<^USB^^•:>-•/ h5:t#.S.. USB 

yrJ-^x-x- f--yri4 0(±. r-;?!&^«fU. 
a^-?-<^'nro-fe yHf 1 BOtcMffi-ri.. i®^. I S 
07816-3 T=0/1 h - /\-^rv 

■g-O-r-^'Av I S078 1 6-3rD h3/UT-X-7- 

h. V'^^?ar^^r•y^f 1 3 0{iXV-h - 
0*^^,]fi5§Sr^#, ClcOr-rJ'SrUSB-f y:?7x-X • 
^•y7'14 0lIi^!U-tl). USB^y^'^x-X ■ -f--/ 
n4 0(i, T-^'5:USBv\-r-y h • 7*--7 y hT' 
7 y7-L.. -eixSr^XM 2 0(CJMHi-t^. 

[00411 m2(mMm(r>JA^st. x v- h • k 
<50«fig*''4x'ons*>\ r5/i 1 o*«*x hi 2 oeo 
U S B V^--y hlciH$tg}^$ixl>fo*:){C3Sffflo«J-ro 

[00421 ^^{cIliKtfloUiBflL/'c^HBti. Igff. 



(00431 Wk<r>^y'^:>.-9 ■ xXf ACf±. r?>' 

(00441 Sttwn y t"x-:J' ■ i^-XxAlcJii-^r 

Alt tiifJffL-?.*^ 3ytrj--^'*iJ;tfigja^lti-?- 

Wn'i^cnmmW.z^Wi^^zWkX^hl otc. ffiS 
con y t jL-^J'fc J:l/^fiEfi«Oflf!«0)f h 

tc. i^fflSISi, fifesftcO^'Xf-Atcfcftl.ct^tCittST 
ayb-i-^- • 'yX^UZ^mX'%h^o\z^ etff<?)3 

yti-:? • i^x^Mzanh—^ttcM^tx^^y^cm 
mfitzWiikmmx'^m^mi:ii'^-vt--mi\,z%\.z% 

[0045] 7^^>'7■;^^c^t^g^E^3yt•a-^' • 

xX-rAO-Wi. USB (r/lfflS^^N'X : Un i ve 
rsal Standard Bus) i^XTAT'J) 
0, ^cOi^XrATIi. 3yea-:7fcJ:t>'^iflJa^S 
l±USB;tf-h$:#-r«.. 7U=3f ^'y/UC^JSgiCE^^ 
ytjL-:? • xXrAOfiiico^lJi. fijfiEI2§ixn:7r 
-fr^^T • vXrA-C'S)?.. 

(00461 'USB7*7^^J<i, USB>-XirA(C3^t5 

tStta-T'Sipt^, aS;^t'Jt><}:t^/^?tJiCPUco 

^Wi, USB7-7^^«i, 7U^>'7'/WC^^eft^: 
aytfi-:? • i/-X-rA (FCCS: Flexibly 
Connectible Computer Sys 
tem) tr7^jtg!$ix57"7;/cOMT'J)?.. 
[0047] ZZX\ fUSB7-7^^jtV^-5ffli§{i. 7 
U^x7;l'tjg^a?£^r3yfjL-^ ■ ix-XT-Atii^g 

T, Ji^J<^ ';fc<l:t//SJtJi:CPU«;^5:-^;^^, ttr> 

X. ^tum^^y-vh-^^xx-hh. yU^i^-ZMZ 

O|g)«<07U^yr;ulcit^affi=5:3yh-jL-^' • i/x 
TA(i, FCCSr7/i:«tg-fl)!ti')W^^'o*t.5ii'-=5r 
< b i,-o<?)2# -It- h S:fflffl:tt6 c: t m^hixx 
1^1). USB h-7yfc<ttXRa i nbowh-^'yfi 
^^tc F C C S T7 MT'fc I. , 
(0 04 81 31^. nytj.-^' • v-XxASrJgfig-fl) 
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Mzx'^nmzmf^i^ti^. ^ms&m^ztii^x^±. fc 

b *?|03« F c c s r 7 ^^fc i^jiif $-t^f t> J; uci 

[004 9] FCCSr^:/iOJ5t»COffl^Ji, r^^^lS 

jfel.. A I ad d i nfc<i;O^Ra i nb ow<OS#(S, 
!t$S<7)y7b'>XT*<fftt-^St«;^h • ^yti-^? • 

csry^izn^^-^rLittitzco^i-tmtivyh^x. 

rS-iPIRLTtr^S, A I ad d i nfcJ:tXRa i n b o 
w<07' 7 y{ii2liE(cliffl ^ ^ ^>iT.=5:V \ 
[0050] 3 y ti-:? • i^Xf A{±. -^c7)^i)a. 

3s.l.zz<r>{m^^-t^^^Mzm^m^^i^ti?>. Z 
mk^tihx-^-V ■ii-Yl.zW^^tih. LA'L. .1 

[005 1] :^%mconm^m&miz^tni. »s&:2-- 
¥^^$momffl$fi{±Fccsrv^^msis$ti6. * 

C C S 7-7 /$r:f|- L T J^-^' t il^W^-ri. ^ fc *^-C' ^ 
-^tJ:OS«$*i=&-»'^^fc. 

[0052] 1213 5:#Bg-r& fc . ^^^mmm^^mim 

!fi^l>FCCSr7/«0SBaH5iBI2*%$fi-CV>6. 13 
^ncOidt. EI3tOFCCSr7^{±. 01COUSB3 
;r^^' :? 2 2 Oi3 J:I/PC B 2 5 A^ratiea^fll. ~oco 

Xi' v71&^<r)^m:f}^-^-^^2 0 0 fc 2 1 OX'm-^B 
fS.$tlf^:>\^i^yyi:^ts. USBrJ^^^:J'2 2 0(i, 
i^X-li. Aska Technologiestt. N 
o. 15, Al ley22, Lane266, Fu T 
eh. 1st Rd..Hs 1 Chih, Taipei S 
h i e n.Ta i wan0f4, CJ: OTfiK^fiTl^l) U 
SB PLUG SMT<ACN-0 2 1 3>gS*^^> 
fil*LT{;iV\ PCB2 5{4. HliO^-Si'SO, 4 
0, 50, e0iiXX/7 0i:m-t^. ^t'J240$: 

'Smthyr-M.'yjirii. usB-^y-f'yjL-xBm 

m^2 3 0izm.Lxtx\>\ 



[ 0 0 5 3 ] 04 ^m.izm.th fc , *%BflOM=5r§g 

mmz^'ixm&^ix. wii^t, a2£ousB=^-^if 

ipiOi^t^, I14<?)FCCS7"^^^{±, USBa:t-i7^ 
220fcPCB125 )!)^[a^Cffi®^^^7tro^0X:^•yr 
iS-^Wffl^^-N'-S^ 2 0 0 fc 2 1 0 -effl^JgfiK^ilit 
/N'^v-'y^Sr-i-tf. PCB 1 2 5{i, ia2c0#-^-?l 3 

0. 140, 1 50, 1 6 0iJj;l/l 7 0iS:ffifl^&. 

• F • -f- y7"2 5 0 5r'i=St"'S>7r-A»> 
xrti, USB>( >':?7x-xSi]ffligS2 3 0lc:ies? 

as. 

[0054] *i%BJ<7) FCC S7-7^(C J: 0 Smt^-^-X 

1. • ^ •/h'7—^^cr)Ti'-tXim&} 
■fS. xv-b • ;^-Kt;^:<iT7^(l, I DtSfg, 

2. Hdf jL^O-hWi^iOiW-SclrSSSE^itiiigiE-r 

liL^rl^^^v HV-^J'fcjl^^-t-S. 05A-5B(4, 7 
b^>'7'yUtJgg!a?£=5:-S60:3>'fi-:J' ■ i/'X^^A 
3 0 Ofc ilX-ffifiO^iSi— t'(::J: OfiEffl-t^Jti^cO* 

h'i-:5'iacOiitiS:^2:ia5efl<)(::*tJ'cico-C'#>l,. 

f ^t#a-:J«t-l.fi?$8. <?i|x{f=SHljfc I Dt±, il 
^, HScOJl:::^ / h2 30«0j:a^USB-^ y^'7x- 

FCCS7*5/3 1 Oi7);<t'J(wP-H$ixS. 
[00551 mz. 7'7/{i. ^U^i^yyUCtg^Sffi 
onyfju-^ • i^XT-i^cT) — :>{z, HXU^, BM<^J: 
a^t¥*fiOXV-h • ;«ir-H<0lStgSril^^tf^i'^=5r<fc 

[0056] *i^^«ffiS^rllJl£Wom^ ^CTiJBfl 

-ri.. 

[ 0 0 5 7 ] a . Itl^ LfZJ--^mM<^'^it 
MthmiJli. LAN/'f yh-7^-xb, v^l^f-o.-- f 

c. /N'X'7-KfeJ:t^-if'f y-^ry (S l g n-On) 
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[00 58] ^'N-H^xr • '<-X«PC-t^i 

'J ir -f - • h y ^c^tt-s^^^S1tA% & . 

* -t^ y-jfy-^- ( SOK : S i gn-O n-Ke 

y)ii. VN-H'^xr • '<^-;^<?)i — ^yx'h^. op 

crating Systems&Appl icati 
o n s t i^-AVXizm^LX . 

-i O a*f=5r-t y - Tj- y • -fe =Jr a 'J -r ^ -fe J: t/ii?4 
-V7 hn^xr • -fe^SfiU-r -f-t. 

(Baio— metrics) 

* {S£ : miE.-o<r>}fy<r>Z.r>i}^ f S*f -CJE^i-^S: i -fe ^ i 

[0059] Bf^fl: 

(00 60 3 -tf-f y-jfy, t'c:TVN-x7-H*<iSEffl$ 

* ^tS^ii^c-^xy • '<_i;tci^ urn/ • jj-y 

* /^iz-r- ':;xT/jifirr!;ir-i/3ytcj^L-c 
o^^- :ty 

* fa^o^gs;^'^•x "7- Hfisarr 'J ir-f/ 3 ynj^LT 
o^- :ty 

* MS O f f i c e &(t!2CO(£^7 r-^yl- 

* PCy-hffia (B i o s^-XV-H) 

[006 1 3-»f-^y-5t-y, ±^^^:^iUf--f- • 'J 
X9 

-t-fy-Tj-y-df-li. g^sn-trr'j^r-i^Hyn 

nLXJ.-nzx^<jy?^titz. •b^A'j-f^- • -'N 
-Kf^xT- h-^'y-c-J)!), ^yxh-ii'-tht, V 
A y-5ry-^-i±. • jry«oro-t;?,co— gptc^ 



[ 0 0 6 2 ] -^-f y-;ty-^-{±JL— 9-'«0^jir)CMi& 

*-9-^y-3l-y -b^j.'Jr-f- 

- tS^-fe=Jf jL«jf--f-&l2a. ^f'fy-:ty-^- 

* if^y-jry ^^tt 

h'm'&^^mth, y-^y-^-i}^y^x'P-v 
-^^ y-^y-^-i^mmzi-j: -v 9 

* '^-ayf^y-i^y 

■i(n^^y-:^y-i^-tK ^•r>t^cr>rr^)y-i^ 

3y[znLxmr>i3mnx^-Yim.t^i.h. 

-^^ y-i[y-^-iT-mu.m^t Lxm^hzt 

* laffl-b^jLUr-f- ■ I — 9y 

[006 3] v-^ y-^y-^-co^My^y^i^sy 
-^f-ry-;ry-^r-usB- «fU^S?«^usB4^- 

Ma c L n t o s ht^WLTSrLt^g^^^tKC^Ooo 
AS, 

SC- XV-h-;<?-K-^ 

s, 

* mm 

-^^v • ^y^>f H • h-^y 

[ 0 0 6 5 ] y-^y-^-tor-^T^f-^ 
v-^y ^y x-fxxvh 

* y-^V-X-f xxV h (Sign-On-Ag 
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ent ) y-^y-^-trruir-i^ayt 

* -t-^ (Sign-On-Boo 

* x^i;x.yhi±aTiznLx^-ihti^. 

-OS/^-yh^XT. (J'»J;ttf. Wi ndowsNT. 
9 5/98. 3x. Novel. Unix 
-i/;^-r^XT/^-;l/. mtlii. Lotus No 
tes. Out 1 ook^ Eudora 

-xy^^^Ty^x rr^jy-i^sy. mm. sa 

p. Baan. MK, Oracle, Magic 
-^xy" yy^-f^ mtli. Explorer. Na 
V i g a t o r 

[ 0 0 6 6 ] fit h 'J f-VyU=5:X>f i/x y h-W i n d 
ows NT 

* St> t'^;!/^X-f v-'xy Windows 
Login -tyi^B y^W^i^t^ , 

-Windows Login Extra -fe^jL'J 
■T-i — 

-Wi ndows Lo g i nCD^mt ("t^ y~ty 

[0067] '»f>f y-rty-^r- '^xy • 7* ^^-fcT) 
X-^ i^xy b/i^XT^A 

* ^^y-:^y'^-{t. «Sft§iX7t^x7'- '<-i>X 

[00 68] -^-f y-/!-y-^- • AP 1 (SDK) 

* *t^y-:ty-^- • AP Hi. -^^y-ity-^ 

a. SSO^at::J;^)l!M(cj^U-C^i:^*§ti. ^-ry 

* ^f^y-ity-^- * AP Ki^f^, H&^-ft&^ii 

* ^-^ y-^y-^- • AP Ui. PKCS# i i^- 
X/3y>'N'^7'/l/T'J)5, 

[00 69Jlf^y-:ty ro-trX (No CA) 

* >fyxh-yu 

-X— tr(i. g^$fiyi7r'j^r->3>tcj^Ltx^ 

i^^xyh^r-f yxh-;u-rs. 

-JL— f(4, #Tr'J^r-S/3ytc*tLT-9">f y-^y • 



* ir-fy-^y 

-rr 'J ^"i^3 yi}^mib^ti^ . 
-rrv^-i^Byii. ^^^^y':^y - r-^ru-^ 

-rru^-^-nyJi. -t^ y-^i- y-^^r- tiiflT^. 
y-:ty • >'^•-s yv-ayTE/^ -»f^y-^y-^- 

[0070] sm^^^i: LT^o-t-^ y-^y-^- 

* &Scodf-i DtcjptT. -^-f y-;!-y-^-*4. ffl 

* Lotus Notes I Dy r ^ Jl^tfziiP G 

p^— 9=fc77''y^-y3y(7)i D^-t^zcr>^^ 

oiztm^ii^^h. 

i]rn<^-^^ ^'J^r ^ -^mM^^hZ:tf)^T^ ^ . yr 
D(±. x^x;'cofti5 0(C't^^y-:ty-=^-tcis 

[ 0 0 7 1 ] -t^>f y-;ty-^- sg^ftxy >^'y&-^>r 

y-:ty-^-- :?"jrh (Cryp t ) 

* ^^y-y^y-^-^i. ^^tmmtLxm^^hzt 

* ffg^-ftAP I tm-f^ti. mm. 1 oo%xv- 
h • 7:?-Fsmco-9-^ y-;ty-^-£7)MM 

* -9->f y-^y-^-- :?"jrh(4. ^^-f y-^j-y-^- 

[ 0 0 7 2 ] tr-Y y-^y-^-mm-y-Ji'^ v 

* SOK^i. PKCS#1 li3j:O^'X509$:ffll^T 
[ 0 0 7 3 ] ^f-^ y-y^y-^-l^^^^cohcO^ri^ts. 

* -t^y-:ty-^-usB h-^'y 

* HASP 

* ^f-<y-:ty-=^-usBfii;?fi^-y/u 

* y-ity-^- • XV- h ■ F * h-7 y 

* ^f-^ y-:ty-=^- • AP I (PKCS#i izxyy- 
y^ryv) 

* xyh^xh • rjy/N'f tfUx^/'Jy:^ 
*WindowsNT Agent 

* Navigato r iilf / ^fz\iE x p I o r e 
r Ag e n t ( S/M i me ) 

*Key Plus Crypt (Beta U 'J - 
X) 

* «SI5^X^»J-y • •t:->'^ 

* toWt7)v-^vr^y^ -^N' /^-v 
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* USBcOteSi&Wi ndows gS/NTtfO^-^tt 

* us, hM^&'fX^x/HcJii^TJi, ±Xcr>0iL 
i\ai?5PC(i. USBSr(ii.rv^l.. 

* Security Dynamics, Acti 
V Card & VascoJi. m~ikit<r>mfS[<- 

ob-^'wcio. -yh mm- h. 

[0 0 74] USB : il^ftjif^tg^ 

-IRQ. DMA^fc'cOlS^^L 

-Xr)$'<cr)yx'7-^ (ST-r-7{J-3 ) 
[007 51 USB : J; 0 ^if?=5:««g 
- 1 2Mb/s , As y n c h (/''xyU;? ) & I s o c h 

-;Sl.^7U~A ■ U-h ■ b'r:t (E^ff^ ) 

-USBIi5 0 0mAS-Ctt*& 

-mf3'^j:mShb-ti~)i^x ■ Tity-yi^^ji^cDmija. 
[0 0 76] usB\iyu^>-yji^^j:m^mm(r>m^j:h 
-mX'h 0 , *^BB{±U S B{ill^$fiS tc7)-c-(i55rv^ 



[0077] 2|i:%B3cOy 7 b'^XTfig-ii-Ji. Rlta=5r'o 
If, ROM ( • Tfyj • y ) Ji^ffiT-^Sg$:(X 

[0078] Bmiz-r:hf<iif>{z. mmmmizx oie 

[0079] *%HS{iJ.XhtCfc».^T!»Si|(cl2l7n, IKSfl^ 

izim^i'X'hi. tsi^. :^^m<r>maii^\y-Mz 

[iaffic7)fS#;5:iJiBB] 

[dllllHi, CPUi:y>'-IS07816^^'>) 

•ri. u s B ryirmmcom^ra v ^mx-h h . 

[ia2]l22{i, CPUfc I S078 1 6;<*USrfil 
U S B 7*7 ^acO«tB|llt-$» l> . 
^i. Klf^U, (il«USBr7:/gS$rMStl.FCC 

s ry y<nwmmmx-h s . 

[04] ia4{i, *^BJ?«0«Ti^:j?)5S^l(::aioT«(£$ 

a. i!)f^L, ia2«ousBr7^^ss2:Mfe-r.5.Fcc 
[05] 05Afcj;ya5B<i, yx^^iyyiuzmmu 

tTp-rST-*)!.. 
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1. Title of Invention 

USER-COMPUTER INTERAOTON METHOD AND APPARATUS 

2. Claims 

A user-computer intension method for use by a population of flexibly 
conxicctibk computer systems and a popnlaiion of mobile users, the method comprising: 

storing information characterizing each mobile user on an FCCS plug to be 
boms by that mobile user; and 

accepting the It CCS plug from the mobile user for connection to one of the 
flexibly coiuiectiblc computer s/3icms and cmployine the infonuation characterizing the 
mobile user (o perform at bast one computer operation. 

2- A method according to claim 1 wherein said at least one coruputcr operation 
comprises authcnticalion. 

3- Aji FCCS plug device to be bcmc by a mobile user,' the FCXS plug device 
comprising: 

a portable device which males with a flexibly conacctibic computer system and 
comprises a memory; and 

information characterizing the mobile user and stored in said memory 
accessibly to the flexibly connectiblc computer jystem. 

^- A population of FCCS plug devices to be borae by a correjpocvding population 

of mobile uscra, the population of FCCS plug devices comprising: 

a multiplicity of portable devices e'ach of which mates with a flexibly 
conncciible computer system and comprises a memory; and 

information characterizing each mobile user in the population of mobile users 
and stored, accessibly to the flexibly conncciible computer system, in the memory of the 
FCCS plug device to be borne by said mobile user. 

5. An FCCS plug device comprising; 

a mating element oper^ivc to male with a flexibly connectible computer 

system: and 

a memory connected idjacent said matmg dement, thereby to form a portable 
pockei-size plug, wherein tht memory is accessible to the flexibly connectible computer 

I 
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system via said mating etement. 

6- An FCCS plug device comprising: 

a mating element operative to male with a flexibly conneciible computer 

system: and 

a CPU connected adjacent said mating clement, thereby to form a portable 
pocket-size plug, wherein the CPU has a data connection to the flexibly connective computer 
system via said maring elemeni. 

An FCCS plug device according to claim 5 and also comprising a CPU 
coRnected adjacent said mating clement, thereby to fonu a ponaWc pocket-size plug, wheieiii 
the CPU has a data connection to the flexibly connectibic computer system via said mating 
element. 

8- A method according to claim 1 \*/hercin said at Iea«t one comptjtcr operation 

comprises digital signature verification. 

9. A method accoiding to c!aim 2 wherein said at least one computer operation 

comprises conirollmg access to computer nctworka. 

A method according to claim I wherein said infomaation charactcrinng each 
mobile user comprises sensitive informatioo not stored in said computer syitetti, thereby to 
enhance confidentiality, 

11- A. user-computer imcrzction method for use by a population of flexibly 

connectibic computer systems and a population of mobile users, the method comprising: 

storing confidential inforraation not Stored by the flexibly conneclible 
conrputer systems on on FCCS plug to he home by an individual user within said population 
of mobile users; and 

accepting die FCCS plug from the mobile user for connection to one of the 
flexibly connectible computer systems and employing the confidential information to perform 
at least one computer operation, thereby to enhance confidentiality. 



12. 



USB key apparatus for interacting with a USB host via a USB port, the USB 
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key apparatus comprising: 

a portable device configured to fit the USB port, the portable device 

comprising: 

a USB inierfacc conveying USB communicatioas to and from a USB 

host; 

a protocol transiator operative to translate the USB communicacioru 
from USB protocol inio smart card protocol and from smart card protocol into USB protocol; 
and 

a smart card chip operative to perform at least odc smart card function. 

key appaiaius according to claim 12 vrhcrc'm the smart card protocol 
comprises an IS 078 1 6 protocol. 

USB key apparatus with data storage capabilities, the USB key apparatus 

coni prising; 

a portable device configured to fit a USB port, the portable device comprising: 
a USB interface conveying USB communications to and from a USB 

bost ; and 

a data storage unit storing information derived from the USB 

communications. 

15. Apparatus according to claim 12 wherein tKe smart card ftmction comprises at 

(cast one function selected from the group consisting of secured memory, authentication, 
encryption and access control 

Apparatus according to claim 14 and also comprising a tnictoprocessoi 
operative to receive said USB coraraunications from the USB interface, to perform 
computations Ihereupon and (o provide results of the computations (o the data storage unit for 
storage. 

17- A method for interacting with a USB host vie a USB port, the method 

comprising: 

configuring a portable device to fit the USB port; 
conveying USB communications to and from a USB host; 
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translfljinc the USB communicaUoni fiom USB protocol into smart card 
protocol and from smart card protocol into USB protocol; and 

providing a smart card chip operative lo pcrfomi at Icbsi one araur carxl 

function. 

' ^- A method according to claim 1 7 wherein the smart card protocol compKscs ai\ 

IS07816 protocol. 

1 9. A data itotagc method coraprising: 
configuring a portable device to fit a U5B pott; 
conveying USB comratinications to and fix}m a USB host; and 
Jtoring infomiation derived from the USB coininunicotions. 

20. A method accordiag to claim 1 7 wherein the smart card function comprises at 
least one function selected from the group consisting of secured memory, authentication, 
encryp<ion and access cociUQl. 

21. A noethod accotding to claim 19 and also comprising employing a 
microprocesror to receive said USB communicalions &Dtu the USB inicrfacc. to perform 
computalioas thereupon and to provide naulta of the computations to the data storage vmit for 
storage. 
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3. Detailed Ooacciption ol Inventioa 

FIELD OF THE r>rVENTION 
The present invention relates lo flexibly conncaible computer apparatus and 
methods for using flexibly conncctibic hosts. 

BACK.GROUND OF THE INVENTION 
The USB interface is described in specifications available over The Internet at 

www.usb.oig, 

Firewire technology, also tcmied "IEEE 1394 technology", is an zitemativo to 
USB which also provides flexible cotmectivity and is described in the IEEE 1 394 standard. 

USB Hasp is an Aladdin software proieciion product. anrounc£d in October 
1997. which includes a USB key. USBHasp doej not control access of a user to a computcr 
netwoTkbui ralher impedes intcracUon between software and a computer system by aclfvatiog 
a copy of the software only if a USB key corrcspondiag to that copy ia phiggcd into the 
computer system. 

Convenlionally. the only devices which have interacted via USB have been 
computers, keyboard, monitor, printer, mouse, smart card readers, and biometric readers. 

Conventional devices for providing computerized servicing to a mobile or 
stationary population of users typically include a smart card reader. The members of the 
mobile population bear smart cards which arc uacd to interact with the computerized servicing 
device via the smart card reader. 

A particular disadvantage of smart cards is that they require a smart card ccadcr 
which is a relatively costly device. Computer hosts which arc equipped with a smart caid 
reader are a small subset of the universe of computer hosts because addition of a smart card 
reader makes the computer considerably more expensive. 

German Patent document DE 19631050 describes an interface converter for a 
universal sertai bus having a module with a processor that changes format and protocol into 
that of a different bus Stem. 

Rainbow Technologies, Inc.. in 3 news release dated 17 November 1998* 
armouncc USB software protection tcys which can also be used is luthentication or access 
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control devices. A unique ID number if assigned to each USB key, enabling the key lo replace 
or supplement personal paiswords.Tlie unique ID of the USB key makc5 it uscfiji as a 
notebook cocnpXiicr security device providing theft delciTcncc, Other uses for the USB keys 
include Web access controi. client token for Virtual Private Network access, replacement for 
password generator tokens and storage of credentials, certificaies and licenses. 

In a news release dated 19 January 1999. Rainbow Technologies. Inc. 
announce a new line of USB tokens for VPNs (virtual private nel^wo^ks) wJnch provides end 
user client authentication to VPNs and enables operator access to secured nei^iork cquipmeni. 
Features of these tokens include -Intcmct security small enough to fit on a key-ring" and 
"pcisonaiizaiion for the end user^. The tokens allow a U5er lo keep personal information in his 
or her pocket rather than <m a hard drive. 

A new "^unique per individual' model of its USB based tokens was announced 
by Rainbow Technologies Inc. on 1 5 Mnrch 1 999. 

The disclosures of alt publications mcittloncd in the jpccification and of the 
publications cited therein are hereby incorporated by reference. 
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SUMMARY OF THE INVENHON 

"Hie presai! invention sMks to ptovide improved flcribly connccliblc 
apparatus and improved methods for using i3az saicve. 

There is thus provided, in accordance with a preferred embodiment of the 
prcsem invenlion. a user-computer interaction method for use by a population of flexibly 
connectiWc computer systems and a population of mofaite users, the method irx:Iuciing stoiirig 
infonnsrion characterizing each mobile user on an FCCS plu£ to bs borne by ihai mobile user 
and accepting the f CCS plug from the mobile user for coraicction to one of the flexibly 
cotmcctible computer systems znd cniploying the infbmtation characterizing the mobile user 
to ptrfotm at Vcaa. oac comT>M\ci operation. 

Further in accordance with a preferred embodiment of the present invcntiori, al 
least one computer operation comprises authentication. 

Also provided . In accordaiice with another preferred embodiment of the 
present invention, is a an FCCS plug device to be borne by a mob\1c viser. the FCCS plug 
device including a portable device which ntaies with a flexibly connectiblc computer systcnj 
and comprises a memory and infonnaiion characterizing the mobile user and stored in the 
memory accessibly to the ftcxibiy conncctib^e computer system. 

Also provided, in accordance with another preferred embo<iim«rrf of the 
present invention, i$ a population of FCCS plug devices to be borne by a corresponding 
population of tnobile users, the population of FCCS plt^g devices including a multiplicity of 
pofiable devices each of which mates with a fletibly cotuvcctibtc compMWT system and 
comprises a memory and information characterising each mobile user in the population of 
mobile users and stored, accessibly to the flexibly conneccible computer system, in the 
memory of the FCCS piug device to be bomc by Utc mobik user. 

Additionally provided, in accordance with another preferred embodiment of 
the present invention, is an FCCS plug device including a mating element operative to mate 
with a flexibly connectiblc computer system and a memory connected adjacent the mating 
element, thereby l^o form a portable pocktt-^i7:t pl\ig, v*hei«an the memory is accessible to the 
flexibly conncctible computer system via xhc mating element. 

Also provided, in accordance with another prsferred embodiment of the 
present invention, is an FCCS plug device including a raaling element operative to mate with a 
flexibly connectible computer system and a CPU connected adjacent the maUng. element, 
thereby lo form a portable pockci-size plug, wherein the CPU has a data connection to the 
flexibly cormectiblc computer system via the mating element. 
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Further ip accordance with a preferred embodiment of the prcscnl mvenlioi\, 
Ihc FCCS plug device also comprises a CPU connected adjacent the mating element, thereby 
to form a ponabic pocket-size plug, wherein the CPU has a data connection to die flexibly 
conneciihle compuitr system via the mating clement 

Slill fiinhcr in accordance with a preferred embodiment of the present 
invention, ai least one computer operalion comprises digital signature verification and/or 
controlling access to computer networks. 

Further in Euxcrdancc with a prcfctvcd tmbodimcnl of the pieseni invention, 
the information characteriting each mobile user comprises sensitive infbimation not stored In 
the computer system, thereby to enhance confidcnliality. 

Also provided, txi accordance with another preferred embodiment of the 
present invention, is a user-computer interaction method for use by 4 population of flexibly 
CO rmecliblc computer systems and a population of mobile users, the method including 

Storing confidential infonnation not stored by the flexibly connectible computer 
systems on an PCCS pl\ig to be borne by an individual Ajscr within the popujation of mobile 
uscn and 

accepting the FCCS plug from the inobile user for connection to one of the flexibly 
connectible computer systems and employing the confidential informaiioo to perform at least 
one computer operation, thereby to enhance confidentiality. 

Preferably the apparatus also includes a microprocessor operative to receive 
the USB communications from the USB interface, to perform computations thereupon and to 
provide results of the compulations to the data storage unit for storage and/or for encryption 
and/or for authentication and/or for access con£ro(. 

The term ''USB port' refers to a pore for connecting peripherals to a computer 
which is buih according to a USB standard as described in USB specifications available over 
the Internet at www.usb.wg. 

The term "USB plug' or "USB key" or "USB token" refers to a hardware 
device whose circuitry interfaces v^th a USB port to perform various functions. 

The term "smart card" refers to a typically plastic card ia which is embedded a 
chip which interacts with a reader, thereby allowing a mobile bearer of the smart card to 
interact with a machine in which is installed a smart card reader, typically with any of a 
network of machines of this type. 

Also provided in accordance with a preferred embodiment of the present 
invention is an electronic token, which preferably mates with a flexible connection providing 
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port such as the USB pon of any computer system such as a PC. laprop. palmtop or 
peripheral. The electronic token preferably does not require any addiuonal rcading equipment. 
The token may authenticate informition and/or siort pass^vordj or electronic certificates in a 
token which may be the size of a domestic house key. 

Preferably, when the token is inserted into a flexible connection providing port, 
a highly jccufc "dual factor authentication " process (e.g. "u-hat you have" phis Vhal you 
know") takes place in which (a) the ciectionic tolctn is "read" by the host PCC or network and 
(b) the user types in his or her personal password for authorization. 

Suitable applications for the electronic token include authentication for VPN, 
extranet and e-coinmcrcc. 

The present invention also seeks to provide improved USB apporanjs aad 
improved methods for using the same. 

There is thus provided, in accordance with another preferred crabodimcnl of 
the present invention. USB key apparatus for interacting with a USB host via a USB port, the 
USB key apparatus including a portable device configured to fit the USB port, the portable 
device including a USB interface conveying USB comraunicationi to and from a USB host, a 
protocol translator opcradvc to translate the USB communications from USB protocol, into 
smart card protocol such as an 1S07816 protocol, and from smart card protocol into USB 
protocol and 3 smart card chip operative to perform at least one sraan card fonction such as 
authentication, encryption, access control and secure memory. 

Also provided, in accordance with another preferred embodiment of the 
present inventioa is USB key apparatus with data storage capabilities, the USB key apparatus 
including a portable device such as a PCS, configured to fit the USB port, the portable device 
including a USB interface conveying USB communications to and from a USB host and a 
data storage unit storing mfoimation derived from the USB tommvinicalions. 
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DETAJLED DESCRIPTION OF PREFERRED EMBODIME^JTS 

Reference is now made lo Fig. 1 i^ich b a simplified blocic diagram of a 
flexibly connectible USB plug device including a CPU and a non-lS0781 6 memory, the USB 
device being constructed and operative in accordance with a preferred cmbodimem of the 
present invention. 

A particular feature of the USB plug device of Fig. I is that h has data stocage 
capabilities and is thus analogous to a memory smart card 

the USB plug device 10 comprises a PCB 25 which includes a microprocessor 
or CPU 30 3uch as a Motorola 6805. Cypress chip or Intel 8051; a USB interface device 40; 
finnware memory 50 serving the f.miwarc of the raicroprocessor 30; RAM memory 60 of 
size sufficient to enable contempiatcd computations on the part Of the microprocessor 30; and 
us=r data memory 70 which stores a user's data! Some or all of ibc USB interface device AO, 
firmware memory 50 and RAM memory 60 may be witfun the CPU 30. 

The USB inlerface device 40 and/or the firmware memory 50 may be 
integrated Inside the microprocessor 30. 

The fiirawarc memory may be any luitable type of memory such a* but not 
limited to ROM, EPROM, EEPROM or FLASH. 

TTie user data memory 70 typically does not include IS07816-3 memory and 
may, for extmplc. comprise any of the following types of memory: I'c. XI^, 2/3 wire bus, 
FLASH. 

As Shown, the USB plug device 10 is configured to interact with any USB host 
20 such as but not iimilcd to a personal computer or Mactnt03h having a USB port Key-host 
interaction is governed by a USB protocol such as the USB protocol described In the USB 
specifications available over the Interact at www.usb.org. USB packets pass between the USB 
host 20 and the USB interface chip ^0. Each packet typically includes the following 
components; 

a- USB header; 

b- Data to be stoccd/rcad on the user's data memory 70. phis additional 

information required by protocols of the memory chip 70. such as but not limited to the 
address to store/read the data, the length of data (o store/read, and CRC checksum 
infomiaiion. 

c. USB footer. 

The flow of data typically comprises the following flow; 



/O 



(S3))00-200248 (P2000-2 0*!8 



•nie USB iwerfice chip 40 receives USB packets from the USD host 20, ptncs 
me dat.. and feeds U,e parsed dala to the micmp.ccessor 30. The microprocessor 30 write, the 
<IaL> to. or reads the dm from, the fi^ware memory 50. the RAM 60 o, the user", data 
raerooty 70, using each memory's protocol. 

In read operation, the microproeesjor 30 passes the data to the USB interface 
chip 40 «hich wraps the data i„ USB packet fomat and passes it to the host 20. 

Fig. 2 is a simplified block diagram of a USB plug device, constructed and 
operath^e i.> accordance with a pttferred embodiment of the preacat invention, which is a 
one.p;=ce smart carf reader and smart card chip preferably providing both secured storage 
and cryptographic capabiliues. The USB plug device of Fig. 2 include both a CPU and a 
smart card chip (ICC) memory 170. .ypicaUy a IS07816 fT = (VI) protocol^jased chip 
commumcating with the CPU 130 using an IS07816-J protocol. The apparatus of Fig. 2 is 
similar to the apparatus of Fig. I except tha no separate user's dala memory 70 is pmvided 
ne size of the RAM 160 is typically at least 262 bytes in order to support the ISO 78I6_3 
T-0 or T=l protocols. 

Each packet typically includes the foUowing componeiits: 
>• USB header: 

b- 1S0781 5-3 T=0/1 protocol packet; 

c. USB footer. 

The flow of data in the apparatus of Fig. 2 typically comprises the following 

flow: 

The USB interface chip 140 gets USB packets from the USB host 120. The 
USB intcrftce chip 140 parses the data arJ passes it to the microptocessor 130. The data, 
which typically comprises a IS07816-3 T=0/1 fomatted packet, is passed by the 
microprocessor to the smart^ard 170 in a IS078I6-3 protocol. Th^ miaoproccssor 130 gets 
the response from the smart card 1 60 and passes the data to the USB interface chip 1 40. The 
USB interface chip 140 wraps the dala in USB packet format and passes it to the host 120. 

A patticular advantage of *e embodiment of Fig. 2 is that smart card 
funcUonality is provided but there i, no need fcr a dedicated reader because the plug 1 10 is 
connected directly to a USB socket io the host 120. 

The invention shown and. described herein is particularly useful for 
computerized systems serving organizations which process sensitive information such as 
banks, insurance companies, accountants- «,d other commeicial organizations, and 
professional orgamaUons such as medical or legal organizations. 



// 



(tZ4) )00-200248 ( P 2 0 0 0 - 2 035>;!S 



Conventional computer sy.t™ . computer (comprising a 

mothcAoard) and a, leas, one periphcBls. The co^ . number of different ports 
wh,ch „,peetivc.y ™,e wiU, the ports of mc various peripherals. Each port typically can 
ma>e w„h only certain peripherals and no. with o.her peripherals. For exantple. the keyboard 
■ cannot be connected to the computer via the computer's printer pott. 

In sute of the art compuier systems, also termed herein "flexibly conriecUble 
computer systems", the computer and *e peripherals each inctude at least one identical port, 
havmg mating ports on any other con,pu.er and any otfier peripheral such ,ha, «>y peripheral 
c<u, be sdectably connected to any computer or ,0 any o^e, peripheral. Also, a peripheral 
m«y be connected to the computer not d„c.ly „ „, convenrfonal systen^ but rather via 
mother peripheral. There is generally always a per. available o„ oac or more connected 
P^npherals ,n an existing compmer system such that another periphe«l can generally always 
be connected to an existing computer system. 

Ctae example of a flexibly conncclable computer system is a USB (.mivcisal 
standani bus) system in «*ich the computer and each periphemi includes a USB port. Another 
example of a flexibly connecUble computer sys.™ u the rccenUy co„wmplat«I Fi„=wire 
system, 

A -USB ph^g" is a portable device which mates with a USB system «.d as 
oppcaed to peripherals which contain mechanical elements. typicaUy coovrises orJy memory 
and/0. CPU and therefore is typically poclet-rize. More generally, a USB plug is an example 
of a plug which can be plugged into a flexiWy cormeetible computer system (FCCS). 

The term "FCCS plug" is used herein to refer to a portable device which mate, 
wtf, a flexibly co„r«e.iblc computer sys.cn, and. as opposed to peripherals which contain 
mechanical elements, typically comprises only memory and/or CPU and therefore is typicaUy 
pocIce,-si«. 1, is appreciated that because each peripheral connected onto a flexibly 
comKCble computer system typically has at least one pon. therefore, a flexibly comiectible 
computer sys.em of any configuration typically has a. leas. 00= vacant po« available to 
mterac. with an FCCS plug. USB tokens and Rainbow tokens are both examples of FCCS 
plugs. 

Typically, each of the plurality of computer system units (computer and one or 
more peripheral.) forming . computer system has at least t»o identical female sockets and 
these are interconnected by means of male-male cables. In this embodiment, the FCCS plug 
n^ay comprise a male socket. However, it is appreciated that any suitable mating scheme may 
be employed to mate the computer system units and .he the FCCS plug of the presen. 
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invention. 

A known use for FCCS plugs is uac in conjunction with software having 
pIug-recogni2io6 capability. Aladdin and Rainbow both raftrkcX software which is operative 
only if the host computer system in which a particular software cop/ resides has plugged iato 
it an FCCS plug which is recognized by the software copy. The Aladdin and Rainbow 

plugs arc not used for authentication. 

Computer systems are often used to receive information cKiractfiTiiing a 
mobile U5cr, who is one of a population of mobile users, and to process this information. Such 
information may comprise user identity auihcniicailOD information, banking information, 
access rights infomrtaiion. etc ConvcnUonaily, this infonnaUon is stored od a smart card 
which is borne by the user and is presented to the computer system by him. However this 
requires the computer system to be equipped with a smart card reader, a special piece of 
equipmenl dedicated to reading (he smart card. 

According to a preferred embodiment of the present invcntkn, information 
chaiactcrizine a mobile user is stored on an FCCS plug. Particuiar advanUiges of this 
embodiment of the present invention is that the information is easily borne by the user, on & 
pockct5i2c substrate. Ihai any Hexibty connectiblc computer system of any configuration is 
typically capable of interacting with the user via the FCCS plug, and that no dedicated 
equipment is required by the coenputcr in order ta carry out the interaction. 

Reference is now made to fig. 3 which U an exploded froot view of an FCCS 
plug constructed and operative in accordance with a piefcrrcd embodiment of the present 
invention and implaneming (he USB key device of Fig. 1. As shown, the FCCS plug of Fig, 3 
comprises a housing typically formed of two snap-together planar cover elements 200 end 
210, between which reside a USB connector 220 and the PCB 25 of Fig. 1. The USB 
connector 220 may, for example comprise a USB PLUG SMT <ACN-0213> device marketed 
by Asica Technologies Inc., No. 15, Alley 22. Lane 266. Fu Teh, 1st Rd.. HsJ Chih. Taipei 
Shicn, Taiwan. The PCB 25 bears the elements 30, 40, 50. 60 and 70 of Fig. I. Firmware 
managing the memory 240 may reside on the USB interfecc conlroUer 230. 

Reference is additionally made to Fig. 4 which is an exploded view of an 
FCCS plug constructed and operative in accordance with a preferred embodiment of the 
present invention and implementing the USB key device of Fig. 2. As shown, the FCCS plug 
of F»g. 4 comprises a housing typically formed of two snap-together planar cover elements 
200 and 210. between which reside the USB connector 220 and a PCB 125. The PCB 125 
bears the elements 130. ICO. 150, 160 and 170 of Fig. 2. Firniware managing the smart card 
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chip 250 may reside on the USB interface controllsr 230. 

Smart caid functionalities which arc preferably provided by the FCCS plug of 
the pvtsenl invention inciudc: 

1. Controlling access to computer actworfcs: Sman card or plug has CD 
information, network authenticates and aUowg access on that basis. Authenticaiion may be 
based upon "what you have", "what you are" e.g. biomctric infonnation and "what you knoW 
(c-g. passvford). 

2. DigitaJ signatures or ccitificates for verifying or authenticating the identity of 
the sender of a document. 

^' Sioragc of confidential information e.g. medical information. A smart card or 

plug may store confidential information and interact with a network which does not store the 
confidential information. 

Figs. 5A - SB pictotiaJiy illustrate a user-computer interaction method 
provided in accordance with a preferred embodiment of the present invention for use by a 
populailon of flexibly connectible computer systems 300 and a population of mobile users. 
InformaUon charactcriziag each mobUe user. e.g. name and ID. is loaded into the memory of 
an FCCS plug 310 to be bonie by that mobile user, typically via a USB interface controUcr 
such as unit 230 of Fig. 3. 

The plug can then be connected to one of die flodbly connectible computer 
systems and the infonnatioa characterizing the mobfle user employed to perform at least one 
computer operaiion typically comprising a conventional smaii card functionality such as 
authentication. 

Features of a prcfen^ embodiment of the present invention arc; now 

described: 

a. The need for enhanced user authctuication 

* Authentication is the basis for any information security system. The ability to 
authenticate local and remote users is a critical issue for any LANyrntranet. multi-user 
enviroiunent 

b. The need for encryption and confidentiality 

* Content eiKryption & confidentiality becomes an important issue for both the 
corporation and the individual use« 

c. The need for password and Sign-On security 

* Password security and user password management are key issues for network 
corporate users. Passwords represent the single most important security concern in any 
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computing environment 

There is a need today for hardware -baaed PC jecurity tokens 

♦ Sign-On-Key (SOK) is a hardware -based token that seamJcssly integrates with Opcnitirig 
Sy sterns <t AppIiciU'ons to provide: 

• a user authcnUcation key 

- a basis for encryption system 

- better Sign-On security and enhanced user password management 

- Software Security 
Authentication - 3 Basic Elements 

♦ Something you know -> P«sword 

• Something you have --> Sign-On-Kcy 

• Something you art e g,. Bio-meuica 

* Assumption: Two oiu of the above three provide "good-enough* security. 
Encryption 

* The need to encrypt data, flics, disks and infoimation flow is cvidci^t. 

♦ An hardware-based token with cryptographic abilities can enhance security and case^f use. 

Sign-On - Where arc Paaswonb used? 

♦ Log on to your Q/S 

♦ Log on to your NetwoA (Local. Remote) 

* Log on 10 the IntemcWSP 

* Log on to protected Web pages 

* Log on to Group Ware/Communications applications 

♦ Log on to other sensitive password -protected applications 

* MS Office & other protected files 

* PC Boot protection (Bio3 Password) 

Sign-On * Major Security Risks 
The Sign-On Process 

The Sign-On-ICey is a security hardware token. Jinked by the user to the required 
applications. Once installed the -Sign-On-Key becomes a part of the log-on process. 
Sign-On'Kcy provides the user with many security and other functional benefits. 
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What Can Sign-On-Key Do For a User? 

* Sigo-On Security 

. Enhance security & authcniication. The Sign-Oa-Kcy is required in addition to the user 
password 

♦ Sign-On Stmplichy 

- Simplify log-on process ind cUminatc the need for a password. The Sign-On-Kcy replaces 
the password 

• Password Automatic Rc- verification 
' Check for Sign-On-Key peiiodically 

♦ Single-Sign-On 

- One Sign-On-Key replaces several passwords for several applications 

• Mobility & Remote Computing 

- Sign-On-Kjcy tdcatifics ccnxKe users 

- Sign-On- FCey can be used as a data secure container 

- Theft deterrent of mobile PCs 

• General Purpose Security Token 

- File & data Encryption 

- Authentication 

• Certificate Key Holder 
Sign-On-Kcy Y3^o(^ Options 

* Several hardware device* may operate as Sign-On-Kcys: 

- Sign-On-Key USB - A small key that comicct$ to the new standard USB port. USB ports 
are becoming the new connectivity standard for PCs and Macintosh 

- Sign-On-FCey SC - A stnart card based Sign-On-Key. Can be used with any standard smart 
card drive 

Sigo-On-Kcy USPs & Advantages 

• Simple, intuitive, easy to use, atlractivc token 

♦ The key 15 the token IS die connector 

* Low cost 

• High security 

/6 
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• High functionaJily 

• Memory inside token 

- Processing powti 

- Automatic Password Rc-ycrification 
' Muiti lolccn connectivity 

* The Agents' solution 

Sign-On-Kcy Archiieaurc 
Full Blown System. 
Sign On Agents 

• The Sign-On-Agem is e softvrarc interface between iht Sign-On-Kcy and the application. 

♦ The Sign-Oa-Boot \s a special interface for the PC boot password. 

• Agents may be provided for 

- OS/NctWatc . e.g.. Window* NT, 95>98, 3x, Novell. Uiiix 

- GroiipWare/Mail - e.g. Lotm Notes, Outlook, Eudoia, 

- Enterprise Applications - e.g., SAP, Baaa, MK, Oracle, Magic 

- Web Browsers - e.g.. Explorer, Navigator 
The Most Trivial Agent - Windows NT 

* Th€ most trivial Agent will replace the Windows Login aessioQ 

♦ By doing so Users may gain 

- Windows Login Extra security 

- Windows Login simplification (Sign-On-Kcy replaces password) 
SignOn-Kcy Web Browsers* Agent/System 

* Sign -On-Key can be used as an authentication token to monitor access to secured web 
pages 

* Web content providers need lo auihcnticAie. maoagc and provide access to their customers 
SigA-On-»Cey API (SDK) 

♦ Sign-On-Key API is (he interface level between the Sign-On-Kcy and 3td parties' 
applications. 

* This API may be published arxl opened for \isage by certification providers, security 
companies and SSO companies. 

* The Sign-On -Key API will also provide encryption & jM-otected memory storage services 

* Sign-On-Key API may be PKCS #11 based/compatible 
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The Sign-On Process (No CA) 

* Installation 

- User inslalb Agents for required appficaUons 

- User defines Sign-On Parameters for each application 

- User stores Sign-On informaUon in Sign-On-Kiey 

* SigD-On 

' Application is started 

- Application rcachci its Sign-On dialog 

- Application communicfltes with ihc Sign -On 'Key 

- Sign-On peimisiion is granted based on Sign-On-Key 
Sign-On-Kcy As a Secure Container 

* In addition to unique iCey ID, Sign-On-Kcy will contain personal protected memory area 

* This mcmojy area can be used for storing sensitive inforaiation and CcrtifttaUa 

* Applications* ID keys like Lotus Notes ID file or PGP keys can be stored in thia memory 

* Doing so - Sign-Oo-Kcy can be used to increase mobile computing security. Files IDs are 
stored in Sign-On-Kcy instead of disk 

Sign-On-Kcy An Encryption Encinc &. Sififl-On-Kcy Crypt 

* Sign-On-Kcy can be used as an cncryptbg device 

* An encryption API raey be provided, eg,, a 100^4 smart card compatible SignOn-Kcy 
implementation 

* Sign-On-Key Crypt is a Data/File/Hard disk encryption utiUty based on Sign-On-Kcy. 
Sign-On-Key Certificau'on Toolkit 

** SOK ma? use PKCS and X509 and store certificates and/or digital IDs. 

Sign-On-Kcy comprises; 

* Sign-On-Kcy USB Token 

* HASP 

* Hardlock 

* Initial Sign-On-Kcy functionality {Unique ID, pcraooal protected memory) 

* SigD-On-Key USB extcnaon cable 

* Sign*OT>.Key Smart Card Token 

- S ign^n-Key API (PK.CS U 1 1 compl iant) 

* Entrust compatibility/link 

* Windows NT Agctti 
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* Naxngator and/or Explorer Agent (S/Mimc) 

* Key Plus Crypt (Beta release) 

* Secure Screen Saver 

* Initial marlceiing package 

* USB proliferation & Windows 98/hrr availability tie key issuca 

* in iht US, German> & Israel all new PCs shipped arc USB equipped. 

* Section la Early Development stage. 

* Security Dynamics, AciivCanl & Vasco contrul the marlcct with 1 st generation time-based, 
one- time password or chalJcn^c-bascd tokens 

* security vendors will look to expand their market share with second gcnctalion integrated 
smart card offerings which will support cryptography, digital signature storage and processing 
activity 

USB: The Better Connection 

* Almost unlimited port expansion 

* No add-in cajds for new peripherals 

- no setting of IRQs. DMAs, etc. 

* One cormecrion type (plug aod port) 
-variety of peripherals 

- no more guess woric 

- simple setup, just phig in and go 
USB: The Better Coiuicction 

* Addresses need for speed, multimedia 

- 12 Mb/s, Asynch (hulk) & Isoch (re^I time) dau 
' stereo-quality digital audio 

- high frame-rate video (with compression) 

- togh latency applications (force-feedback) 

* No power bricks with many new pciiphcrals 
■ USB supplies up to SOOmA 

* PC User experience is vastly improved 

- Fewer returns and increased sales potential 



It is appreciated that USB is only one example of a flexible connectivity 
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standard and ths present invention i$ not iniended to be limited to USB, 

It is appreciated that the software components of the present invention may, if 
desired, be implemented in ROM (read-only memory) form. The software components ma;y, 
generally, be iraplcmentsd in hardwaie, if desired, using conventional techniques. 

It is appreciated that various features of the invention which are, for clarity, 
described in ihe comexis of separate embodiments may also be provided in combination in a 
single embodiment. Conversely, various features of the invention which are. for brevity, 
described in the contcxi of a single embodimeni may also be provided separately or in any 
suitable subcombination. 

U be appreciated by pcraons skiUcd in iht art thai the present invention is 
not limited to what has been particularly shown and described hereinabove. Rather, the scope 
of the present invention is dcHned only by the claims that follow; 



20 



(9 3))00-200248 ( P 2 0 0 0 - 2 O^^l 8 



4. Brief Description of Driving* 

Fig. 1 is a simplified block diagram of a USB plug device including a CPU and 
. non-IS07816 memory, the USB device being conned and opcm.ivc in accordance with 
a prcfcncd embodiment of the preaeni invention; 

Fig. 2 is a simplified block diagram of a USB plug device including a CPU and 
a iS078I6 mcn^ory. the USB device being constnictcd and operative in accordance with a 
prefcnred embodimcni of the present invcnlioo; 

Fi«- 3 « an exploded front view of in FCCS plug constnicted and opcraUvc In 
accordance with a prcfencd cmbodimeot of the pressni invcntiori and implementing the USB 
plugdeviceof Pig. 1; 

Fig. 4 is M exploded view of an FCCS plug constructed and operative in 
accordance with a prefened embodiment of the present invention and imptementiag the USB 
plug device of Fig. 2; and 

FiES. 5A - 5B pictorially iUusirate . ujcr-computet intetaclion method 
provded m «cria„ce v«h a prefcired eoibodiinent of the p«,ca. invention for use by a 
population of flexibly connectible computer systems and . population of mobile u«„ 
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FIG. 1 
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FIG. 2 
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FIG. 3 
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Abstract 

A uscrcompuier inreraction method far use by a population of flexibly 
conneciible computer system? znd a population of mobilt users, the rasihod compftsing 
storing infonnation characterizing each mobile user on an FCCS plug lo be borne by that 
mobile user; and accepting the FCCS plug from the mobile user for connection to one of the 
flexibly conneciible computer systems and cmployiag the infonnadon characterizing the 
mobile user to perform at least one computer opcraiiott. 
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